• E-mail
• Print
• RSS

Identify threats to ePHI with these six tips

HIM Connection, June 13, 2006

Want to receive articles like this one in your inbox? Subscribe to HIM Connection!

Understanding threat components and creating a reference list of threats will get you started in identifying threats to your electronic protected health information (ePHI). However, you need to narrow down the list to those that are most realistically specific to your organization and its vulnerabilities. Here are six good strategies to do this.

1. Interview your risk-analysis team
   Ask the members of your risk-analysis project team to list the threats they think exist in your environment. Your list should suggest major categories of threats without providing specifics that might constrain your team's thinking. Ask team members to consider possible scenarios in which threats might occur. For example, your information technology (IT) staff may turn off security controls for system upgrades. An accidental threat might be forgetting to turn the controls back on. Nurses in intensive care may wonder if their workstations are virus-protected if they are left on. Don't reject any ideas people may have.

2. Interview other staff members
   Using the same list of threats, randomly interview managers, system administrators, help desk personnel, risk management staff, corporate compliance officers, protective services personnel, and others who may be in a position to be aware of threats. Your risk-analysis project team may include representatives from many of these areas, but the members may not all be involved with day-to-day operations where they see or think about threats. When interviewing other managers, make sure you cover every area where ePHI is created or used, including patient financial services, patient access, HIM, IT, contracting, customer service, medical review, custodial service, quality improvement, research, ancillary departments, and physician offices.

3. Review reports of past incidents and complaints
   Review information security incident reports, security violation reports, privacy complaints, corporate compliance hotlines, accounting audits, and any other internal resources that might describe potential threats. Statements from these sources may not always explicitly articulate a threat; you may need to discern it from underlying comments. As an additional step after interviewing staff, reviewing these written reports can help ensure completeness. Staff may be unaware of an underlying security threat suggested by a privacy complaint or a financial auditor's report.

4. Review news articles
   Review news articles covering threats that have occurred in other healthcare organizations, as well as nearby businesses or other institutions. Are conditions in your organization similar to those that existed in an organization where a threat occurred, so that the same thing could happen to you?

5. Discuss security with your organization's business associates
   Discuss information security practices with your business associates. Knowing about their practices may help you with your own security planning.

6. Contact police and other external security resources
   Contact local police departments and the Federal Bureau of Investigation (FBI) offices, the Federal Computer Incident Response Center, and other resources that focus on security, such as security services organizations. Many have Web sites to help you determine new threats in your locale.

Editor's Note: This article was adapted from HCPro, Inc.'s book Complete Guide to HIPAA Security Risk Analysis: A Step-By-Step Approach by Margret Amatayakul, MBA, RHIA, CHPS, FHIMSS and Steven S. Lazarus, PhD, FHIMSS. For more information or to order, go to www.hcmarketplace.com, or call 877/727-1728.

Want to receive articles like this one in your inbox? Subscribe to HIM Connection!

• E-mail to a Colleague
• Print
• RSS
• Archive